oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: backdoor in upstream xz/liblzma leading to ssh server compromise

From: Tavis Ormandy <taviso () gmail com>
Date: Sat, 30 Mar 2024 15:37:27 -0000 (UTC)
On 2024-03-30, Marc Deslauriers wrote:

That is the problem, having more eyes on a 0-day also means more eyes from 
malicious entities. Neither having an embargo nor immediately posting publicly 
are ideal solutions. There needs to be a compromise, and while I understand and 
respect your point of view, I don't think we'll ever see eye-to-eye on what the 
acceptable compromise should be.



Yeah, but your acceptable compromise *must* include Canonical having
advance knowledge of backdoors, correct?

There are a lot of other users and organizations out there, and I think
most of them also like having some agency, I know I do. If our roles
were reversed -- my organization was on distros and yours was not -- do
you think you would still be arguing for embargoes on backdoors?

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso () sdf org
_\_V _( ) _( )  @taviso
Previous By Date Next
Previous By Thread Next

Current thread: